Pressure builds as Congress seeks answers on Equifax breach

Members of Congress continue to put pressure on Atlanta-based Equifax, joining a chorus of consumer groups that have criticized the credit bureau in the wake of a massive security breach.

On Tuesday, 24 Democratic members of the House Energy & Commerce Committee demanded answers about the breach, which compromised the personal information of more than 140 million U.S. consumers. A day earlier, the leaders of the Senate Finance Committee made similar demands in a letter to Equifax Chairman and CEO Rick Smith.

So far, the House Financial Services and the Energy & Commerce committees have called for hearings on the matter. More than two dozen lawsuits seeking class-action status also have reportedly been filed against Equifax.

Jeffrey Meuler, an analyst with Robert W. Baird & Co. who follows Equifax, said the company faces risks of regulatory and legislative changes that could affect its business. A finding of severe negligence in the company’s data handling or ballooning fraud costs are also possible threats, he said.

“The fact there’s going to be a congressional inquiry is not surprising,” Meuler said. Under the circumstances, he said, “it is warranted.”

The demands by the House and Senate committee members underscore the seriousness of the breach that’s rocked the Fortune 500 company, which plays a crucial role in the American financial system.

“Your company profits from collecting highly sensitive personal information from American consumers — it should take seriously its responsibility to keep data safe and to inform consumers when its protections fail,” the letter from the House committee Democrats said.

On Monday after public pressure, Equifax said on Twitter it would waive fees for all applications for credit freezes for the next 30 days. The company also reversed itself and removed language in a suite of credit and identity theft protection services it is offering breach victims that consumer groups said would force users into binding arbitration and ban them from joining a class-action lawsuit.

Equifax, which traces its roots to the 1890s, helps banks decide whether to lend people money for homes and cars and whether to issue credit cards.

Equifax and fellow credit bureaus Experian and TransUnion also weigh in when you’re seeking a job, rental housing or insurance, helping companies verify whether you are who you say you are.

The company counts the federal government as a key customer, including the Internal Revenue Service, Centers for Medicare & Medicaid Services, the Social Security Administration and other federal agencies.

Letters from Congress

In a Monday letter to Smith, U.S. Sens. Orrin Hatch, R-Utah, and Ron Wyden, D-Ore., sought information about Equifax’s digital security infrastructure and further details about the personal information that was lost, and whether any government data also was exposed by criminal hackers. The senators also requested a detailed timeline of events about the breach and the company’s response.

The senators want answers about Equifax’s business, when it learned of the breach and about sales of stock by three Equifax executives days after the company learned of the incident but before the cyber theft had been made public.

The first question seeks a timeline of the breach, including “when it began, its discovery, the investigation of its scope and source, notification of authorities, efforts to notify customers and consumers, notification to the Equifax board of directors, and notification of Equifax senior executives — including, but not limited to, John Gamble Jr., Rodolfo Ploder, and Joseph Loughran.”

Gamble, Ploder and Loughran are the three executives who sold stock in the days after the July 29 discovery of the breach.

On Tuesday, U.S. Senator Heidi Heitkamp, D-N.D., called for an investigation into the stock sales, calling it “disturbing” that the sale appeared to happen before the incident was public, and stating that if a crime happened “somebody needs to go to jail,” according to Reuters.

Equifax has said the executives were not aware of the breach when they sold their shares.

“These are very complicated issues, and we expect to be engaging with regulators and legislators in the future,” Equifax spokeswoman Meredith Griffanti said in a statement about the Senate Finance Committee letter. She said the company plans to respond to the committee’s request for information and Equifax is “listening to issues that consumers are experiencing, and their suggestions are helping to further inform our actions.”

The House Democrats’ letter, which wants answers by Sept. 22, seeks information about steps the company is taking to protect consumers, as well as answers about the stock sales. Hatch and Wyden want answers by Sept. 28.

The matter could come before one or more House committee in the coming weeks.

‘Fumbled out of the gate’

Equifax announced the breach last Thursday after business hours with a YouTube video, news release and a website for consumers.

Equifax gave few details about how the data was accessed and whether it was their own operations that were breached or those of an outside vendor. The company said only that “criminals exploited a U.S. website application vulnerability to gain access to certain files.”

Unauthorized access to the information occurred from mid-May to July, the company said, and was discovered by the company on July 29. Equifax engaged an outside cybersecurity firm for a forensic review.

Consumer groups called Equifax’s response inadequate. Others complained that the website set up to guide potential victims gave conflicting information about whether consumers’ personal information was exposed. Call centers also weren’t adequately prepared, critics said.

The company also took flak for its offer of a package of credit and identity theft protection services because of a clause watchdogs said meant victims of the hack couldn’t sue or join a class-action case against Equifax for the cyber breach.

Equifax later said the terms of use applied only to issues that might arise during the use of the credit protection service, not from the hack. Bowing to pressure, the company removed the arbitration and class-action clauses from the terms of use.

Conroy Boxhill, an expert in crisis public relations, said Equifax had six weeks from the time it learned of the breach until informing the public, and should have been better prepared.

“They fumbled out of the gate and there’s an erosion of confidence,” Boxhill said. “People think they’re not trustworthy.”

Boxhill said the company needs to address the public directly, inform consumers how the problem will be fixed and stop relying on canned statements. Equifax, he said, needs a public face to help allay people’s fears.

“This is a major, major event. You can’t hide from a situation like this,” he said.

Meuler, the analyst, said missteps are amplified in such situations, though he credited Equifax with waiving fees and taking other steps in response to consumers fears.

“But I do think the company could probably benefit from taking a more proactive approach to engaging with the public, with the consumer,” he said.

Reader Comments ...

Next Up in Business

Kempner: When the gas station comes to you, why have a gas station?
Kempner: When the gas station comes to you, why have a gas station?

Well, this is bad timing. Now, that we have gas stations and convenience stores all over the place, are we on the verge of no longer needing so many?  Forget hopes for electric cars for a moment. We’re talking about drivers of gasoline-powered vehicles no longer having to hustle to the gas station. Because the station soon may be coming...
Customers want more tech, fewer people

Get out of our way. That’s the message customers have for merchants looking to improve their in-store experience, according to a new study of more than 2,900 adults and children in the U.S. and Canada. The survey, conducted winter by HRC Retail Advisory, found that a majority of buyers prefer to be left alone to browse while shopping and would...
Best AV receivers for 2018
Best AV receivers for 2018

So you’ve got the high-def, wide-screen, 4K video television, multiple surround speakers and a subwoofer the size of a dorm fridge. You’re almost there — but if you want the full home theater experience, you need an AV receiver to ride herd on all of it. These are the four best models CNET has reviewed over the last year. —&mdash...
How listening to random sound can unlock a trapped mind
How listening to random sound can unlock a trapped mind

LOS ANGELES – David Tobin took to the stage at a recent technology conference in downtown Los Angeles, asked the 500 attendees to close their eyes, and turned up the sound so they could sample his wares: a textured, layered soundscape that he calls an “audiojack.” A thousand eyes clamped shut as they collectively heard a ball thudding...
‘Yakuza 6’ a modern chapter in need of one vital update
‘Yakuza 6’ a modern chapter in need of one vital update

Jumping into the “Yakuza” series right now is a tricky proposition. Sega’s long-running underworld crime saga has been out for more than a decade and has several chapters that follow the exploits of legendary gangster Kazuma Kiryu. The developers have been trying to get both new and longtime fans into the series with a two-pronged...
More Stories